©DefensiveOriginsLLCC0310.1–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
EndpointOptics
Sysmon
AuditPolicy
LC0310
AppliedPurpleTeaming
Infrastructure,ThreatOptics,andContinuousImprovement
June6,2020
©DefensiveOriginsLLCC0310.2–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
©DefensiveOriginsLLCC0310.3–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
Sysmon–AssistingwithEndpointLogging
https://github.com/olafhartong/sysmon-modular
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Biasedopinion:Sysmonisthebestfreeendpointloggingtoolavailable.
Nuancedopinion:Sysmoncancreatealotofnoise.
Sysmon-modular:Aconfigurablewaytohelpparseandlimitthenoise.
Also,asseenbelow,canhelpmapeventstoMITREtechniques
©DefensiveOriginsLLCC0310.4–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
Createaconfigurationfileusingthesysmon-modularrepository.
Thecontainerstotherightincludeconfigurableoptions.
TheprocessbelowgeneratesacustomconfigfileforSysmon.
Parsesdirectoriesaslistedforincludes/excludes
Itcanbeadjustedandre-installedeasily
https://github.com/olafhartong/sysmon-modular
Sysmon–AssistingwithEndpointLogging
©DefensiveOriginsLLCC0310.5–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
Theinstallprocessiseasy.
sysmon64.exe-accepteula-isysmonconfig.xml
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon–AssistingwithEndpointLogging
Theconfigupdateprocessiseasytoo.
Updatetheconfigdirectoryfromtheprevious
slideinaccordancewithlifecyclechanges.
Re-generatethesysmonconfig.xmlwiththe
modulartool.
sysmon.exe-csysmonconfig-update.xml
©DefensiveOriginsLLCC0310.6–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
Catchesthingsaccurately.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon–AssistingwithEndpointLogging
©DefensiveOriginsLLCC0310.7–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
Catchesthingsaccurately.
https://github.com/olafhartong/sysmon-modular
Sysmon–AssistingwithEndpointLogging
©DefensiveOriginsLLCC0310.8–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
https://github.com/olafhartong/sysmon-modular
WindowsAuditstheCLIandPowerShellNatively,Right?
Wrong.
Domaincontrollers?Nope.
Workstations?Nope.
Anything?Nope.
©DefensiveOriginsLLCC0310.9–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
AuditPolicy
Thecommandpromptway.
auditpol.exe/set/Category:*/success:enable
auditpol.exe/set/Category:*/failure:enable
auditpol.exe/get/Category:*
ConfigurableviaGPO
Moredifficult,settingsinafewdifferentplaces
BUT–granularcontrolsarenice
©DefensiveOriginsLLCC0310.10–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection-CommandLineLoggingisEasy
Maxlogfilesizeissmallbydefault.
Commandlineloggingisoffbydefault.
“Toseetheeffectsofthisupdate,youwillneedtoenabletwopolicysettings”
Admin.Templates>System>AuditProcessCreation
Policies>Windows>Security>AdvancedAudit>DetailedTracking
Yeah,andonelastthing:Thesecondsettingmaybeoverwritten.
©DefensiveOriginsLLCC0310.11–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection-CommandLineLoggingisEasy
ToavoidtheoverwritingofAdvancedAuditsettings,athird settingisrequired.
Computer Configuration > Policies > Windows Settings > Security > Local > Security
Setting–Audit:ForceAuditPolicySubcategorySettings=Enabled
©DefensiveOriginsLLCC0310.12–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection-PowerShellLoggingisEasy
ThePowerShellwaytoturnonauditing:
WevtUtilgl"WindowsPowerShell"(listconfiguration)
WevtUtilsl"WindowsPowerShell"/ms:512000000
WevtUtilsl"WindowsPowerShell"/rt:false
WevtUtilgl"Microsoft-Windows-PowerShell/Operational"(listconfiguration)
WevtUtilsl"Microsoft-Windows-PowerShell/Operational"/ms:512000000
WevtUtilsl"Microsoft-Windows-PowerShell/Operational"/rt:false
Canalsoconfigurethefollowingviacommandlineoptions.
ModuleLogging
ScriptBlockLogging
ScriptExecutionPrivileges(ie:signed/bypass/enforced)
©DefensiveOriginsLLCC0310.13–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection-PowerShellLoggingisEasy
TheGroupPolicywaytoturnonPowerShellauditing:
Policies > Admin Templates > System > Audit Process Creation
CanalsoconfiguremoregranularthingsunderthePowerShell
configsection.
Admin Templates > Windows Components > Windows PowerShell
ModuleLogging
ScriptBlockLogging
ScriptExecutionPrivileges(ie:signed/bypass/enforced)
©DefensiveOriginsLLCC0310.14–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection
WhatAboutIISLogging?
Yeah,that’snotonbydefaulteither.
LogFiles(text)writtenbydefault…
Nothingtoeventlog.
Enable:
BothlogfileandETWevent
Maximumfilesize
Andthenyoucancatch:
MailSniper
BurpSuitesprays
Hydra
AuthenticationinteractionswithExchange
©DefensiveOriginsLLCC0310.15–APTOpticsInfrastructure-Sysmon
AppliedPurpleTeaming–Infrastructure,ThreatOptics,andContinuousImprovement
June6
th
,2020
SponsoredbyBlackHillsInformationSecurity
WindowsEventCollection-MakingSenseOutofitAll.
1.Sysmoncanhelp,alot.Thisisnotasilverbullet,nothingis.
2.Commandlineauditingshouldbeconfiguredtocaptureprocesscreationevents.
3.PowerShellmoduleloggingandtranscriptionshouldbeconfiguredviaGroupPolicy.
4.IISdoesn'tlogtoEventViewerwithoutconfiguration.
5.Loggingandauditingcanbeachallenge,andwe'reuptothetask.